GHSA-RWJG-C3H2-F57P
Vulnerability from github – Published: 2025-12-05 18:14 – Updated: 2025-12-05 18:14Summary
Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches.
Details
This occurs when the SAN is encoded as a BMPSTRING or UNIVERSALSTRING, and its UTF-8 conversion result is truncated at the first null byte during string assignment. As a result, "victim\0evil" may match an exact: "victim" rule and be accepted by Envoy.
PoC
Create a CA and a server certificate signed by that CA. Create two client certificates signed by the same CA: client_evil with OTHERNAME BMPSTRING = "evil" client_null with OTHERNAME BMPSTRING = "victim\0evil" Configure Envoy with require_client_certificate: true and a match_typed_subject_alt_names entry for the OTHERNAME OID with matcher.exact: "victim". Connect without a client cert → connection rejected. Connect with client_evil → connection rejected. Connect with client_null → connection accepted (but shouldn't!).
Impact
An attacker who can obtain a trusted client certificate with a null byte embedded in an OTHERNAME SAN can exploit this vulnerability. The practical impact is unauthorized impersonation of the matched identity, enabling access to services or APIs protected by that exact OTHERNAME check.
Credit
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.36.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "1.36.0"
},
{
"fixed": "1.36.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.35.6"
},
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "1.35.0"
},
{
"fixed": "1.35.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.34.10"
},
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "1.34.0"
},
{
"fixed": "1.34.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.33.12"
},
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.33.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66220"
],
"database_specific": {
"cwe_ids": [
"CWE-170"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-05T18:14:02Z",
"nvd_published_at": "2025-12-03T19:15:58Z",
"severity": "MODERATE"
},
"details": "### Summary\nEnvoy\u2019s mTLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte (\\0) inside an `OTHERNAME` SAN value as valid matches.\n\n### Details\nThis occurs when the SAN is encoded as a `BMPSTRING` or `UNIVERSALSTRING`, and its UTF-8 conversion result is truncated at the first null byte during string assignment. As a result, `\"victim\\0evil\"` may match an exact: `\"victim\"` rule and be accepted by Envoy.\n\n### PoC\n\nCreate a CA and a server certificate signed by that CA.\nCreate two client certificates signed by the same CA:\nclient_evil with OTHERNAME BMPSTRING = \"evil\"\nclient_null with OTHERNAME BMPSTRING = \"victim\\0evil\"\nConfigure Envoy with require_client_certificate: true and a match_typed_subject_alt_names entry for the OTHERNAME OID with matcher.exact: \"victim\".\nConnect without a client cert \u2192 connection rejected.\nConnect with client_evil \u2192 connection rejected.\nConnect with client_null \u2192 connection accepted (but shouldn\u0027t!).\n\n### Impact\nAn attacker who can obtain a trusted client certificate with a null byte embedded in an OTHERNAME SAN can exploit this vulnerability. The practical impact is unauthorized impersonation of the matched identity, enabling access to services or APIs protected by that exact OTHERNAME check.\n\n### Credit\n[markevich.nikita1@gmail.com](mailto:markevich.nikita1@gmail.com)",
"id": "GHSA-rwjg-c3h2-f57p",
"modified": "2025-12-05T18:14:03Z",
"published": "2025-12-05T18:14:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66220"
},
{
"type": "PACKAGE",
"url": "https://github.com/envoyproxy/envoy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Envoy\u0027s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.